Re: How to authenticate ESP (was risks of MACs)

[Phil Karn <karn@qualcomm.com>]

>I'm in favor of approach 1.  It may require more key material in the
>case where the hash in unkeyed in approach 2 but it is at least some
>faster and permits the possibility of entities that can authenticate
>but read read packets.  (Yes, for keyed MD5 that means they can forge
>authentic packets but can't set the unencrypted data from them.  But
>this is not true for some other possible authentication means and, in
>any case, their might be entities you would trust that far.)

If you wanted an entity that could verify the authenticity of a packet
without being able to read the contents, wouldn't it make more sense
to run two nested IPSP associations, one for encryption that runs
end-to-end and another for authentication only that runs, e.g, between
two routers?

My original reason for this approach is just as Bill stated. I
wanted to make it as difficult as possible to sabotage with bogus
traffic, and I can't think of any other reasons other than to make the
code more modular.

Doing authentication outside of encryption does assume things about
the relative CPU complexity of authentication and encryption, and
these can change over time. But it does seem likely that MD5-like
functions will remain faster than DES-like functions for some time.

Phil

---

Follow-Ups:

• Re: How to authenticate ESP (was risks of MACs)
• From: "Perry E. Metzger" <perry@imsi.com>

References:

• Re: How to authenticate ESP (was risks of MACs)
• From: "Donald E. Eastlake 3rd (Beast)" <dee@skidrow.tay.dec.com>

---

• Prev by Date: Re: comments on Photuris
• Next by Date: Re: How to authenticate ESP (was risks of MACs)
• Prev by thread: Re: How to authenticate ESP (was risks of MACs)
• Next by thread: Re: How to authenticate ESP (was risks of MACs)
• Index(es):
  • Main
  • Thread